MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
SHA3-384 hash: 95c895f7218a5397191b482acef7f733eaadee03c89e2d4e926693a6b46ee38cb7174907398167aded08ed4b39ec73c8
SHA1 hash: b9aa693b69b8dd0d2d679dfb2fb1cadf5f12ae74
MD5 hash: 61c6c74ac1bfaaf8546dab27f6dab8f4
humanhash: snake-kentucky-batman-queen
File name:61c6c74ac1bfaaf8546dab27f6dab8f4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'088'512 bytes
First seen:2023-07-10 12:03:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e7f2667392d8d1bd01896145ab96743 (5 x RedLineStealer)
ssdeep 24576:N0iid6uv1xs2IV/YohC9Xs6ICXzoowbcWrQNDr:Ev1xs2CEPICXz4b1rQDr
Threatray 44 similar samples on MalwareBazaar
TLSH T142356C6039CB832DEED62C7E05ECB964C3ECA4B007E745DBE68416EAC9146DD6B321C5
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
61c6c74ac1bfaaf8546dab27f6dab8f4.exe
Verdict:
Malicious activity
Analysis date:
2023-07-10 12:05:01 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/2fd4c594-9a0e-49b6-8e32-a9f73a54bb21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/413537/
Detection(s):
SecuriteInfo.com.Malware.PDB-22.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96912/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/64abf3b62333b198b23a0888/reports/c4485b88-b6b1-4705-8f39-ed9e96b1cfa4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6079bc83-2026-4d0f-be08-1f9eea35a9e7
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270106
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 12:04:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukkjeohjaw3a3xmr76dbcaosq553vvgbfyp6yg57hqpqw7likrqa._file
Verdict:
malicious
Similar samples:
0010b7ec1d9f4bea9f2ca750de9467dc81b75cbb2b4c82f4843e863615409f1e
RedLineStealer
02c640ef3ac9d7fa8c919b0f72bb85413ef3e9803d2d091277b9a7c41f52e9d9
RedLineStealer
0e59fafb2de30f5fa5b6cce425f40115180b373592e1a201702742a6e8f21cc9
RedLineStealer
43f7dfd100d1188143e4ab71a4f513c85568e2b1a9999690618e3f3eaebd4099
RedLineStealer
618d5757cf057b15ac4608340b2c7f641bf56661da501b5084b0fa9212a1dcfd
RedLineStealer
99140bcea0df5df002662cbbbbf8de1369bad231868368015a29e57c5cd9b80f
RedLineStealer
d0873782fa5d4851ddd95e98767467d177e1b42a684b202cd681968ea2ece832
RedLineStealer
db78b5b857378304d5d72a826a2f1e261a71791eda971bf952cbd8182bbc62bd
RedLineStealer
dc4df62efb7c9b410401653297e66098809afa302874d98711b82e20864a8049
RedLineStealer
dc7c3e74ee2bee96a497b83d6f417305bcdf8a5473b15ff5c348cbf18a2d6330
RedLineStealer
+ 34 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1red1 infostealer spyware
Link:
https://tria.ge/reports/230710-n8mj6aab24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
77.246.110.195:8599
Unpacked files
SH256 hash:
8bdc99aa861fda33fa66e72c65451b225a41c21da51dec53137dd3ef0f325e14
MD5 hash:
f7d837a34678f655d2600cd6d38e1fe2
SHA1 hash:
79ccca01271d8501632411192432dde1e5536d85
Link:
https://www.unpac.me/results/6ff7728f-a34a-400e-a92f-cdccd035f0b1/
SH256 hash:
a2fdc80a877bef92cd569982f379331c821c337a322547d89c698cbe415b859e
MD5 hash:
5f0f246ed497a8ff9d80004efe068346
SHA1 hash:
cb997a3c1a1f4884d17d1f5a2c86c277f323124b
Detections:
redline
Create hunting rule
redline
Create hunting rule
Link:
https://www.unpac.me/results/6ff7728f-a34a-400e-a92f-cdccd035f0b1/
Parent samples :
a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
dae4ef263266f77d4bc88a23772a5a65e8ffe9ce69e3446019fbc2cd6b87df79
4c3b0c1e5e66b0f794e09afe724a3a805610becebc02741f009603ab2e2bb689
c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284
SH256 hash:
8bdc99aa861fda33fa66e72c65451b225a41c21da51dec53137dd3ef0f325e14
MD5 hash:
f7d837a34678f655d2600cd6d38e1fe2
SHA1 hash:
79ccca01271d8501632411192432dde1e5536d85
Link:
https://www.unpac.me/results/6ff7728f-a34a-400e-a92f-cdccd035f0b1/
SH256 hash:
a2fdc80a877bef92cd569982f379331c821c337a322547d89c698cbe415b859e
MD5 hash:
5f0f246ed497a8ff9d80004efe068346
SHA1 hash:
cb997a3c1a1f4884d17d1f5a2c86c277f323124b
Detections:
redline
Create hunting rule
redline
Create hunting rule
Link:
https://www.unpac.me/results/6ff7728f-a34a-400e-a92f-cdccd035f0b1/
Parent samples :
a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
dae4ef263266f77d4bc88a23772a5a65e8ffe9ce69e3446019fbc2cd6b87df79
4c3b0c1e5e66b0f794e09afe724a3a805610becebc02741f009603ab2e2bb689
c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
99bd949bb95d531c8047ade15df066625d7f534864a4fa066b354b958b620284
SH256 hash:
a2949238e905b60ddd91ff861101d2877bbad4c12e1fec1bbf3c1f0b7d685460
MD5 hash:
61c6c74ac1bfaaf8546dab27f6dab8f4
SHA1 hash:
b9aa693b69b8dd0d2d679dfb2fb1cadf5f12ae74
Link:
https://www.unpac.me/results/6ff7728f-a34a-400e-a92f-cdccd035f0b1/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a2949238e905/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/413537/

Comments